Outsourcing the Service, Not the Oversight

By:
Karen Garrett, Lindsay Harden

July 2nd, 2019

Every bank director has heard it: You can outsource a service, but you cannot outsource the responsibility.

That sounds clear enough, but how does a board know what its role should be when an opportunity to partner with a financial technology firm, or fintech, arises? The board’s role is oversight and guidance, not day-to-day management. But oversight is not passive. So what does board oversight look like in the evolving world of bank and fintech relationships?

Consider a bank that is reviewing a proposal from a fintech. Management believes that this is a great opportunity for the institution, and presents it to the board for approval. What is the board’s role here? The board’s involvement must be flexible enough that it can react to these situations, but it should also consider some essential inquiries, such as:

Does the proposal match up with the bank’s strategic plan? The board is responsible for the strategic direction of the bank. Directors should consider if the proposal is an appropriate project for the size, resources and initiatives of the bank. They must also think about whether the proposal aligns with the bank’s strategic plan. If the proposal does not match up with the strategic plan, they may also want to consider if it is material enough that the strategic plan should be amended.

What are the risks? The board is responsible for ensuring that an effective risk management program is in place at the bank, which includes the ability to fully assess risks and establish controls and oversight to mitigate those risks. It should assess the fintech proposal through its risk management process

Management should provide the board with a comprehensive risk assessment of the proposed relationship that thoroughly outlines how each identified risk will be mitigated. The board should look at that assessment critically. Was it prepared by competent and experienced personnel? Does it appear to be thorough? Does it focus on IT risks or other narrow issues, or take into account all of the compliance issues? Does it include state laws, which is especially important if the bank is state-chartered? How does the assessment address concerns about privacy and cybersecurity? What does it say about reputation risk?

Is there a negotiated contract that addresses all of the risks? The board is responsible for ensuring that all third-party relationships are documented in negotiated contracts that protect the interests of the bank. The board needs to ensure that appropriate legal counsel is engaged to negotiate the arrangement, depending on the riskiness of a proposed fintech relationship. Counsel should have a thorough understanding of the legal issues involved in the proposed program and the applicable regulatory guidelines for third-party contracts.

The actual contract negotiation should be done by management. However, the board could consider requiring a summary of the important contract provisions or a presentation by management or legal counsel about the terms, depending on the level of risk involved and materiality to the bank.

How will the board know if the program is performing? The board should receive ongoing reports relating to monitoring of the program and the fintech. These reports should be sufficient for the board to establish that the program is compliant with law, operates in accordance with the contract and meets the strategic objectives of the bank. If the program is not performing, the board should know whether appropriate action is underway to either facilitate performance or terminate the program.

A bank’s board cannot outsource its responsibility for outsourced services, even if a fintech partner seems to have a fantastic product. The board must ask enough questions to be certain that management has engaged in appropriate due diligence, identified the risks and determined how to mitigate those risks through the contract and oversight. The implementation of all of those steps is up to management. But one role in particular rests with the board: ensuring that the relationship with the fintech partner furthers the strategic goals of the bank.

Karen Garrett is a partner at Stinson LLP. She navigates the complexities of regulatory compliance and corporate law to work hand-in-hand with clients to design and implement financial products and services for banking and other financial services entities.

Lindsay Harden is an associate at Stinson LLP. She helps banking and financial services clients structure their fintech, payments and banking products and platforms in compliance with state and federal law.